noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

SonicWALL Inc.

Stealc Malware Checks Everything — Even the Screen Resolution
SonicWALL Inc.

SonicWall Recognized in the 2024 CRN Edge Computing 100 for Excellence[...]
The United States Army

US, partner Soldiers train for Expert Field Medical Badge in Italy

Politics and Policy

SonicWALL Inc.

11/04/2024 | Press release | Distributed by Public on 11/05/2024 02:40

GoZone Ransomware Adopts Coercive Tactics to Extract Payment

This week, the SonicWall Capture Labs threat research team analyzed a ransomware that not only encrypts files but also accuses the victim of harboring explicit content on their computer and then threatens to turn it over to authorities if ransom is not paid. Extortion attacks often come as unsolicited emails, and GoZone has stooped to pretending to find explicit content on victims' machines to extract payment.

Infection Cycle

This ransomware is written in Go. It is apparent that it uses Chacha20 and RSA encryption packages as evidenced by its strings.

Figure 1: References to Chacha20 package in the binary's strings

Figure 2: References to RSA package in the binary's strings

Upon execution, it encrypts files in the victim's machine and appends "d3prU" to all encrypted files.

Figure 3: Encrypted files with d3prU file extension

A readme text file is created in every directory where files have been encrypted. This is one of the ransom notes that this malware creates.

Figure 4: Readme ransom note

It also creates another ransom note in the form of an html file which is then subsequently opened with the user's default browser.

Figure 5: Ransom note in html formal

To ensure that the victim does not miss the ransom payment instructions, the desktop wallpaper is also changed to show instructions on how to pay.

Figure 6: Desktop wallpaper showing payment instructions

The QR code at the bottom of the desktop wallpaper only copies the Bitcoin address "bc1qwemkeh2vu5ftzgat3sk87gr4mlskw898xd6tk5" to a browser. Checking this Bitcoin address on the blockchain reveals only a couple of transactions.

Figure 7: Recent transactions on this ransomware's Bitcoin address

The victim will be unable to change this wallpaper as the ability to update the background settings has now been disabled by the ransomware.

Figure 8: Background settings grayed out and unable to change

Upon further analysis, we found references to ransomware modules that show the different functionalities that this malware can employ:

Add a scheduled task
Disable UAC
UAC Bypass
Set wallpaper
Self delete
Overwrite MBR
Remove system restore

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: GoZone.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format